An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934. https://sourceforge.net/p/cppcheck/discussion/general/thread/fa43fb8ab1/
Created cppcheck tracking bugs for this issue: Affects: epel-all [bug 2238466] Affects: fedora-all [bug 2238465]
From the upstream bug: "That is clearly invalid code. Cppcheck generally assumes that its input is compileable." This is a bug, but clearly not a security vulnerability. If a "local code execution" needs shell, it is possible for an attacker to do much more than pass arbitrary strings to cppcheck.
(In reply to Siddhesh Poyarekar from comment #3) > From the upstream bug: > > "That is clearly invalid code. Cppcheck generally assumes that its input is > compileable." > > This is a bug, but clearly not a security vulnerability. If a "local code > execution" needs shell, it is possible for an attacker to do much more than > pass arbitrary strings to cppcheck. Indeed. Also, how is this related to RHEL-8? Unless I am mistaken, the version of cppcheck in RHEL-8 is 2.4 whereas this use-after-free error is on cppcheck 2.12. Looking at the code, 2.4 is quite different from 2.12. I have tried to reproduce the error by compiling cppcheck 2.4 (from the RHEL 8.8 branch) with asan as described in https://sourceforge.net/p/cppcheck/discussion/general/thread/fa43fb8ab1, I ran bin/cppcheck on the "poc" input program and ... there was no error. What am I missing?